I'm working on the exam, but will be back to add outline items. In the meantime, feel free to add your own outline.
The major reasons for exercising control:
to provide reasonable assurance that the goals of each business process are being achieved
to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss
to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations
>
Sarbanes-Oxley Act (SOA): As a result of numerous business scandals and financial incompetence, the federal government was forced to interject on the governance of corporate affairs by implementing the Sarbanes-Oxley Act in 2002. The SOA alters the face of corporate reporting and auditing by addressing the following many key areas, such as creating a new accounting oversight board, strengthened auditor independence rules, increased accountability of company officers and directors, mandated upper management to take responsibility for the company's internal control structure, enhanced the quality of financial reporting, and increased the penalties on white-collar crimes. Furthermore, the SOA prohibits audit firms from providing a wide array of non-audit services to audit clients; in particular, the act prohibits consulting engagements involving the design and implementation of financial information systems.
Computer Virus: is a program that can attach itself to other programs (including macros within word processing documents), thereby infecting those programs and macros. Computer viruses may also be inserted into the boot sectors of PCs. Viruses are activated when you run an infected program, open an infected document , or boot the computer from an infected disk. Computer viruses ulter their host programs, destroy data, or render computer resources( e.g., disk drives, central processor, networks) unavailable for use. Unlike other malicious programs such as logic bombs and Trojan horses, viruses differ in that they can reproduce themselves in a manner analogous to biological viruses.
Fraud: Fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain. Management's legal responsibility to prevent fraud and other irregularities is implied by the Foreign Corrupt Practices Act as well as section 1102 of the Sarbanes-Oxley Act. Here is a recent survey from Ernst and Young about fraud risks and internal controls in emerging markets: 2006 Fraud Survey
Implications of Computer Fraud and Abuse
Computer-related crimes have been referred to as computer fraud, computer abuse, or computer crime. The majority of computer-crimes consits of two basic types:
(1) The computer is used as the tool of the criminal to accomplish the illegal act. For instance, the perpetrator could illegally access one or more banking systems to make unauthorized transfers to a foreign bank account.
(2) The computer or the information stored in it is the target of the criminal. Recent, widely-publicized instances of computer viruses fall into this category.
Please consider the following: Insiders commit the majority of computer crimes, and the methods are endless and changing constantly. Also, computer crime represents an interesting example of a process failure. It characterizes a poorly controlled process.
Characteristics of Fraud:
1. Motivation
2. Opportunity
3. Personal Characteristics
Generally, a person's motivation and personal characteristics cannot be changed. One element common to most occupational fraud offenders, from the CEO to the rank-and-file employee, is that almost none of them took their jobs for the purpose of committing fraud-- they are typically first-time offenders. Therefore, in order to best avoid fraud, a company should minimize any opportunity for fraud to occur by establishing an effective system of internal controls.
The phases of fraud can best be illustrated by The Fraud Triangle below. Employees who commit fraud generally are able to do so because there is opportunity, pressure, and a rationalization. Opportunity is generally provided through weaknesses in the internal controls. Some examples include inadequate or no:
Supervision and review
Separation of duties
Management approval
System controls
Pressure can be imposed due to:
Personal financial problems
Personal vices such as gambling, drugs, extensive debt, etc.
Rationalization occurs when the individual develops a justification for their fraudulent activities. The rationalization varies by case and individual. Some examples include:
“I really need this money and I’ll put it back when I get my paycheck”
“I’d rather have the company on my back than the IRS”
“I just can’t afford to lose everything – my home, car, everything”
Information Gathered From: Understanding Internal Controls
There was a particular case involving the Rigas family who owned Adelphia cable being responsible for a stealing hundreds of millions of dollars from its investors. The Rigases used company jets for private vacations including an african safari, and borrowed billions of dollars for their private use. So much money was being borrowed from the company for personal debts by John Rigas that his son had to limit him to $1 million per month. His salary was listed at $1.9 million per year. Timothy Rigas told employees to falsify company documents by creating false reciepts showing payment by the family for stock to ease the debt pressures. When these practices were revealed Adelphia's stock dropped from $20.39 to $0.70 and delisted shortly after. Both misappropriation of assets and fraudulent financial reporting occured in this case. SOX also prohibited Corporate Loans to management.
The COSO Definition of Internal Control: internal control is a process - effected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Common Business Exposures:
1. Erroneous Recordkeeping is the recording of events contrary to established accounting policies. This exposure is often caused by the incomplete or inaccurate processing of an event.
2. Unacceptable Accounting is the establishment or implementation of accounting policies that are not generally accepted or are inappropriate to the circumstances. This exposure is often caused by an improper interpretation or a willful disregard of GAAP or some other set of accounting regulations.
3. Business Interruption may include anything from a temporary suspension of operations to a permanent termination of hte enterprise. This exposure may be caused by a number of factors, including irreparable damage to an organization's database.
4. Erroneous management decisions are objectionable in themselves but may also lead to other exposures. This exposure is often caused by managers using misleading information relative to a particular decision.
5. Fraud and embezzlement may be perpetrated at different levels (against management or by management). This exposure may be caused by direct misappropriation of funds or by deliberate communication or misinformation to management or investors.
6. Statutory Sanctions are any of the various penalties that may be brought by judicial or regulatory authorities that have jurisdiction over an organization's operations. This exposure may be caused by a number of factors, including violation of the Foreign Corrupt Practices Act (FCPA).
7. Excessive Costs may include unnecessary expenses involved in operating a business. This exposure may be caused by failing to require that all expenditures over a certain dollar amount be approved.
8.Loss or destruction of resources is the unintentional loss of physical resources (cash, inventory, etc.) and the loss of information (inventory master data, etc.) This exposure is often caused by a lack of adequate safeguards over an organization's resources.
9. Competitive disadvantage relates to any inability of an organization to remain abreast of the demands of the marketplace or to respond effectively to competitive challenges. This exposure may be caused by a number of factors, including the use of an outdated computer system that fails to respond to customer needs as effectively as do systems used by competitors.
COSO definition of internal control, adopted by SAS No.78
Internal control is a process – effected by an entity’s board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Process - is a series of actions or operations leading to a particular and usually desirable result.
Internal control is not an end in itself. It is a means to an end, the end of attaining process objectives. Internal control itself is a system. It must have clearly defined goals and must consist of interrelated components that act in concert to achieve those goals. We could say that internal control is a process as it is a series of actions or operations leading to a desirable result.
It is the management's responsibility to establish a viable internal control system. But the strength of any internal control system is largely a function of the people who operate it. No matter how sound the control processes may be, they will fail unless the personnel who apply them are competent and honest. Internal control cannot be expected to provide absolute assurance that the organization will reach its objectives. Rather, it provides reasonable assurance.
Internal control has a cost associated with it. It should result from management's thoughtful risk analysis and evaluation of cost/benefits.
Internal Control (alternate definition) - system of integrated elements - people, structure, processes, and procedures - acting in concert to provide reasonable assurance that an organization achieves its business process goals.
Internal control comprises five interrelated components:
1. Control Environment- sets the tone of an organization, provides discipline and structure. It is usually provided by upper management.
The Sarbanes-Oxley Act established the standard that clearly places the responsibility of accurate annual and quarterly reports on the shoulders of the company’s CEO and CFO. Additionally, the Act makes these very same individuals responsible for establishing internal controls, ensuring that the internal controls are functioning properly, and reporting on the effectiveness of these controls.
Sarbanes-Oxley, Controls and Accounts Payable
Definition and Purposes of Internal Control for Section 404 of the Sarbanes-Oxley Act (SOX)
According to the Internal Control-Integrated Framework, issued by the Committee of Sponsoring Organizations (COSO) in 1992, internal controls encompass a set of policies, rules, and procedures enacted by management to provide reasonable assurance that 1) financial reporting is reliable, 2) its operations are effective and efficient, and 3) its activities comply with applicable laws and regulations. This definition clearly indicates that internal control has purposes other than reliable financial reporting. In fact, it implies that internal control deals with potential risks existing in three areas of business: information processes (capturing data, maintaining databases, and providing information to achieve reliable financial reporting); operation processes (activities in the value chain to achieve operational efficiency and effectiveness); and compliance processes (the objective of conformity with laws and regulations).
The most crucial is the management process, referred to above as the management system, that dictates and controls all other business processes. ("Business processes" as used in this article refers to the combination of the management, operation, information, and compliance processes.) Lack of attention to internal controls in the management process is another major weak spot of the traditional internal control concept; it has not been explored and stressed in the internal control literature. Risks in the management processes, discussed below, are much more critical. Significant potential risky events in every business process, if they do occur, can contribute to failures of internal control over financial reporting. Risks in the information process are not the only source of failure of internal control over financial reporting.
Thus, a better way to state the requirement of section 404 is: Management and independent auditors are required to report on the effectiveness of internal control over enterprise risks affecting financial reporting.
An effective system of internal control must be built on the basis of the analysis of enterprise-wide risks. Traditionally, independent auditors focus on risks directly related to business transactions defined by generally accepted accounting principles (GAAP), and therefore, risks in the information process are the focal points in the evaluation of the strengths and weaknesses of internal control. Risks, however, exist in every business process, and some risks, if and when their related events materialize, will significantly affect financial reporting. In fact, major enterprise risks rarely occur within the accounting process. Recent corporate malfeasances such as Enron and WorldCom were the results of risks realized in the management process and other major business processes, and are examples of businesses that have been toppled by the failures of information systems.
It is not surprising that COSO proposed risk analysis as one of the five components of internal control in its 1992 pronouncement. In September 2004, COSO extended and refined the original concept of risk analysis by proposing an integrated framework for enterprise risk management, which is designed to manage risk by providing reasonable assurance regarding the achievement of the following entity objectives:
Strategic: high-level goals, aligned with and supporting its mission;
Operations: effective and efficient use of its resources;
Reporting: reliability of financial reporting; and
Compliance: compliance with applicable laws and regulations.
Thus, in the process of creating value for its customers and other stakeholders, an entity must be able to systematically assess and analyze all material risks that affect the aforementioned entity objectives.
The Impact of IT on Auditing Professional Standard Setting
Following the lead of the American Institute of the Certified Public Accountants (AICPA), independent accountants throughout the world have been exploring new types of assurance services. The AICPA has recognized the importance of this new type of assurance, when its Special Committee on Assurance Services has analyzed and reported the trends that are shaping the emerging environment of audit/assurance services, and they have also designed new assurance offerings that are especially suitable to the new environment. While changes occur in the way CPAs and their audit clients use computers, CPAs must find guidance in existing audit literature on the role of computers of financial statements audit. Although, the objectives of control procedures are the same whether they are manuals or computerized, additionally, the Auditing Standards Board (ASB) has recognized the importance of IT on the audit process with its release of Statement on Auditing Standards (SAS) No. 94 in 2001, which is basically an extension of the previously issued SAS No. 55. While SAS No.55 on “ Consideration of Internal Control in Financial Statement Audit” was concerned with specifying a model for audit risk, and includes much of the authoritative literature on computers in auditing, the purpose of issuing SAS No. 94, was to include the effects of IT on professional standards process and thus, it deals with the IT impact on internal control, the auditor understanding of internal control, and his/her assessment of control risk.
2. Risk Assessment- analysis of relevant risks to achievement of objectives. Factors indicative of Incresed Financial Reporting Risk:
Changes in the regulatory or operating environment
Changes in personnel
Implementation of a new or modified information system
Rapid growth of the organization
Changes in technology affecting production processes or information systems
Introduction of new lines of business, products, or processes.
3. Control Activities Control activities Segregation of duties
Examples of Control Activities:
Pre-numbering Documents
Authorization of Transactions
Performance Reviews
Information Processing Controls
Independent Checks
Documentation
Physical controls
Segration of duties
CUSTODY OF ASSETS
AUTHORIZATION FORMS
Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews
4. Information and Communication- identifies information in a form and time frame
5. Monitoring- assesses the quality of internal control performance
A system of integrated elements – people, structure, processes, and procedures – acting in concert to provide reasonable assurance that an organization achieves its business process goals. The design and operation of the internal control system is the responsibility of top management and therefore should:
Reflect management’s careful assessment of risks
Be based on management’s evaluation of costs vs. benefits
Be built on management’s strong sense of business ethics and personal integrity
Key Elements of a System of Internal Controls: Control Goals- Business process objective that an internal control system is designed to achieve. Control goals are divided into operations and information processes. - Control goals of operations process
Ensure effectiveness of operations (Is the given operational process fulfilling the purpose for which it was intended?) - a measure of success in meeting one or more operations process goals, which reflect the criteria used to judge the effectiveness of various business processes. These goals are created by humans, therefore subjective, and no uniform set of process goals exist.
Ensure efficient employment of resources(Does the cost outweigh the benefit?) - a measure of the productivity of the resources applied to achieve a set of goals. If the cost is more than the benefits obtained, the system might be considered inefficient.
Ensure security of resources (Are both physical and non-physical resources secure?) - Protecting an organization's resources from loss, destruction, disclosure, copying, sale, or other misuse.
>
- Control goals of information process
Input validity - a control goal that requires that input data be appropriately approved and represent actual economic events and objects.
Input completeness - a control that requires that all valid events or objects be captured and entered into a system.
Input accuracy- a control goal that requires that events be correctly captured and entered into a system.
Update Completeness - a control goal that requires that all events entered into a computer are reflected in their respective master data.
Update accuracy - a control goal that requires that data entered into a computer are reflected correctly in their respective master data.
To achieve the goals of achieving update completeness and update accuracy, awareness of the following types of processing errors may assist in that process.
Programming errors- logical and technical errors that may exist in the program software
Operational errors- these types of errors can occur if input data is intended to be used for more than one application and we fail to use them where needed.
Control Plans - reflect information processing policies and procedures that assist in accomplishing control goals. Control plans can be classified in the following way:
- Control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control
plans. - Pervasive control plans relate to a multitude of goals and processes. They provide a set of surrounding conditions in which the various business
processes operate. They are broad in scope and apply equally to all business processes, hence they prevade all systems.
- Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.
Another way to classify controls is in relation to the timing of their occurence:
- Preventive control plans stop problems from occurring (Ex: programmed verification of customer number);
- Detective control plans discover that problems have occurred (Ex: comparisons of input and output documents to ensure that no discrepancies exist between them)
- Corrective control plans** rectify problems that have occurred (Ex: if discrepancies are detected company should have procedures for reprocessing the incorrect items)
What did the US congress actually try to do with SOX?
According to this article writtin in 2004, http://www.workers.org/ww/2004/skilling0304.php, the author from this workers.org website, Heather Cottin, believes that SOX is merely a smokescreen created by congress in order to "rescue Wall Street" and to "assure investors that this could never happen again." There were many corporate scandals that arose just before the issuance of this new documentation that placed many expensive requirements upon corporate America. Enron, WorldCom, Adelphia, Tyco, Global Crossing, Quest, Xerox, MicroStrategy, ImClone, AOL-Time Warner, K-Mart, Citigroup and J. P. Morgan Chase were all part of the decline in investor confidence.
According to the Washington Post, Nov. 8, 2002, a senator stated that the new law was tough and suggested that it would not be implemented. The author, in a less-than-friendly way, pointed out that 500 FBI agents were taken off corporate crime investigations to be placed on the "War on Terror." Cottin goes on to quote Deputy Attorney General Larry Thompson implying that there would not be massive "lynching" of corporate executives.
This article was just a pry into the minds of those who believe that we are supposed to be tricked into believing that we live in a just and moral society of business activities. There are those out there who carry on ethical business, but so often is the corporate culture the result of these scandals. It is the result of faulty compensation policies, poor corporate governance, a lack of power in the internal audit function that causes these catastrophic happenings. Sarbanes-Oxley Act of 2002 was an attempt to ensure that companies had these functions properly running. I believe that this has helped, but at this point, it seems that it might be a bit of an overkill. I would not suggest to remove the 404 work, but to require less frequent testing of those controls.
In response to the title of this article, the US congress wanted to give the American economy the comfort of knowing that somebody is on their side.
Introduction to Internal Control:
I'm working on the exam, but will be back to add outline items. In the meantime, feel free to add your own outline.The major reasons for exercising control:
- to provide reasonable assurance that the goals of each business process are being achieved
- to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss
- to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations
>Sarbanes-Oxley Act (SOA): As a result of numerous business scandals and financial incompetence, the federal government was forced to interject on the governance of corporate affairs by implementing the Sarbanes-Oxley Act in 2002. The SOA alters the face of corporate reporting and auditing by addressing the following many key areas, such as creating a new accounting oversight board, strengthened auditor independence rules, increased accountability of company officers and directors, mandated upper management to take responsibility for the company's internal control structure, enhanced the quality of financial reporting, and increased the penalties on white-collar crimes. Furthermore, the SOA prohibits audit firms from providing a wide array of non-audit services to audit clients; in particular, the act prohibits consulting engagements involving the design and implementation of financial information systems.
Computer Virus: is a program that can attach itself to other programs (including macros within word processing documents), thereby infecting those programs and macros. Computer viruses may also be inserted into the boot sectors of PCs. Viruses are activated when you run an infected program, open an infected document , or boot the computer from an infected disk. Computer viruses ulter their host programs, destroy data, or render computer resources( e.g., disk drives, central processor, networks) unavailable for use. Unlike other malicious programs such as logic bombs and Trojan horses, viruses differ in that they can reproduce themselves in a manner analogous to biological viruses.
Fraud: Fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain. Management's legal responsibility to prevent fraud and other irregularities is implied by the Foreign Corrupt Practices Act as well as section 1102 of the Sarbanes-Oxley Act. Here is a recent survey from Ernst and Young about fraud risks and internal controls in emerging markets: 2006 Fraud Survey
Implications of Computer Fraud and Abuse
Computer-related crimes have been referred to as computer fraud, computer abuse, or computer crime. The majority of computer-crimes consits of two basic types:
(1) The computer is used as the tool of the criminal to accomplish the illegal act. For instance, the perpetrator could illegally access one or more banking systems to make unauthorized transfers to a foreign bank account.
(2) The computer or the information stored in it is the target of the criminal. Recent, widely-publicized instances of computer viruses fall into this category.
Please consider the following: Insiders commit the majority of computer crimes, and the methods are endless and changing constantly. Also, computer crime represents an interesting example of a process failure. It characterizes a poorly controlled process.
Characteristics of Fraud:
1. Motivation
2. Opportunity
3. Personal Characteristics
Generally, a person's motivation and personal characteristics cannot be changed. One element common to most occupational fraud offenders, from the CEO to the rank-and-file employee, is that almost none of them took their jobs for the purpose of committing fraud-- they are typically first-time offenders. Therefore, in order to best avoid fraud, a company should minimize any opportunity for fraud to occur by establishing an effective system of internal controls.
The phases of fraud can best be illustrated by The Fraud Triangle below. Employees who commit fraud generally are able to do so because there is opportunity, pressure, and a rationalization.
Opportunity is generally provided through weaknesses in the internal controls. Some examples include inadequate or no:
Pressure can be imposed due to:
Rationalization occurs when the individual develops a justification for their fraudulent activities. The rationalization varies by case and individual. Some examples include:
Information Gathered From: Understanding Internal Controls
There was a particular case involving the Rigas family who owned Adelphia cable being responsible for a stealing hundreds of millions of dollars from its investors. The Rigases used company jets for private vacations including an african safari, and borrowed billions of dollars for their private use. So much money was being borrowed from the company for personal debts by John Rigas that his son had to limit him to $1 million per month. His salary was listed at $1.9 million per year. Timothy Rigas told employees to falsify company documents by creating false reciepts showing payment by the family for stock to ease the debt pressures. When these practices were revealed Adelphia's stock dropped from $20.39 to $0.70 and delisted shortly after. Both misappropriation of assets and fraudulent financial reporting occured in this case. SOX also prohibited Corporate Loans to management.
The COSO Definition of Internal Control: internal control is a process - effected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Common Business Exposures:
1. Erroneous Recordkeeping is the recording of events contrary to established accounting policies. This exposure is often caused by the incomplete or inaccurate processing of an event.
2. Unacceptable Accounting is the establishment or implementation of accounting policies that are not generally accepted or are inappropriate to the circumstances. This exposure is often caused by an improper interpretation or a willful disregard of GAAP or some other set of accounting regulations.
3. Business Interruption may include anything from a temporary suspension of operations to a permanent termination of hte enterprise. This exposure may be caused by a number of factors, including irreparable damage to an organization's database.
4. Erroneous management decisions are objectionable in themselves but may also lead to other exposures. This exposure is often caused by managers using misleading information relative to a particular decision.
5. Fraud and embezzlement may be perpetrated at different levels (against management or by management). This exposure may be caused by direct misappropriation of funds or by deliberate communication or misinformation to management or investors.
6. Statutory Sanctions are any of the various penalties that may be brought by judicial or regulatory authorities that have jurisdiction over an organization's operations. This exposure may be caused by a number of factors, including violation of the Foreign Corrupt Practices Act (FCPA).
7. Excessive Costs may include unnecessary expenses involved in operating a business. This exposure may be caused by failing to require that all expenditures over a certain dollar amount be approved.
8.Loss or destruction of resources is the unintentional loss of physical resources (cash, inventory, etc.) and the loss of information (inventory master data, etc.) This exposure is often caused by a lack of adequate safeguards over an organization's resources.
9. Competitive disadvantage relates to any inability of an organization to remain abreast of the demands of the marketplace or to respond effectively to competitive challenges. This exposure may be caused by a number of factors, including the use of an outdated computer system that fails to respond to customer needs as effectively as do systems used by competitors.
COSO definition of internal control, adopted by SAS No.78
Internal control is a process – effected by an entity’s board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
- Process - is a series of actions or operations leading to a particular and usually desirable result.
Internal control is not an end in itself. It is a means to an end, the end of attaining process objectives. Internal control itself is a system. It must have clearly defined goals and must consist of interrelated components that act in concert to achieve those goals. We could say that internal control is a process as it is a series of actions or operations leading to a desirable result.It is the management's responsibility to establish a viable internal control system. But the strength of any internal control system is largely a function of the people who operate it. No matter how sound the control processes may be, they will fail unless the personnel who apply them are competent and honest. Internal control cannot be expected to provide absolute assurance that the organization will reach its objectives. Rather, it provides reasonable assurance.
Internal control has a cost associated with it. It should result from management's thoughtful risk analysis and evaluation of cost/benefits.
Internal Control (alternate definition) - system of integrated elements - people, structure, processes, and procedures - acting in concert to provide reasonable assurance that an organization achieves its business process goals.
Internal control comprises five interrelated components:
1. Control Environment- sets the tone of an organization, provides discipline and structure. It is usually provided by upper management.
The Sarbanes-Oxley Act established the standard that clearly places the responsibility of accurate annual and quarterly reports on the shoulders of the company’s CEO and CFO. Additionally, the Act makes these very same individuals responsible for establishing internal controls, ensuring that the internal controls are functioning properly, and reporting on the effectiveness of these controls.
Definition and Purposes of Internal Control for Section 404 of the Sarbanes-Oxley Act (SOX)
According to the Internal Control-Integrated Framework, issued by the Committee of Sponsoring Organizations (COSO) in 1992, internal controls encompass a set of policies, rules, and procedures enacted by management to provide reasonable assurance that 1) financial reporting is reliable, 2) its operations are effective and efficient, and 3) its activities comply with applicable laws and regulations. This definition clearly indicates that internal control has purposes other than reliable financial reporting. In fact, it implies that internal control deals with potential risks existing in three areas of business: information processes (capturing data, maintaining databases, and providing information to achieve reliable financial reporting); operation processes (activities in the value chain to achieve operational efficiency and effectiveness); and compliance processes (the objective of conformity with laws and regulations).The most crucial is the management process, referred to above as the management system, that dictates and controls all other business processes. ("Business processes" as used in this article refers to the combination of the management, operation, information, and compliance processes.) Lack of attention to internal controls in the management process is another major weak spot of the traditional internal control concept; it has not been explored and stressed in the internal control literature. Risks in the management processes, discussed below, are much more critical. Significant potential risky events in every business process, if they do occur, can contribute to failures of internal control over financial reporting. Risks in the information process are not the only source of failure of internal control over financial reporting.
Thus, a better way to state the requirement of section 404 is: Management and independent auditors are required to report on the effectiveness of internal control over enterprise risks affecting financial reporting.
An effective system of internal control must be built on the basis of the analysis of enterprise-wide risks. Traditionally, independent auditors focus on risks directly related to business transactions defined by generally accepted accounting principles (GAAP), and therefore, risks in the information process are the focal points in the evaluation of the strengths and weaknesses of internal control. Risks, however, exist in every business process, and some risks, if and when their related events materialize, will significantly affect financial reporting. In fact, major enterprise risks rarely occur within the accounting process. Recent corporate malfeasances such as Enron and WorldCom were the results of risks realized in the management process and other major business processes, and are examples of businesses that have been toppled by the failures of information systems.
It is not surprising that COSO proposed risk analysis as one of the five components of internal control in its 1992 pronouncement. In September 2004, COSO extended and refined the original concept of risk analysis by proposing an integrated framework for enterprise risk management, which is designed to manage risk by providing reasonable assurance regarding the achievement of the following entity objectives:
- Strategic: high-level goals, aligned with and supporting its mission;
- Operations: effective and efficient use of its resources;
- Reporting: reliability of financial reporting; and
- Compliance: compliance with applicable laws and regulations.
Thus, in the process of creating value for its customers and other stakeholders, an entity must be able to systematically assess and analyze all material risks that affect the aforementioned entity objectives.The Impact of IT on Auditing Professional Standard Setting
Following the lead of the American Institute of the Certified Public Accountants (AICPA), independent accountants throughout the world have been exploring new types of assurance services. The AICPA has recognized the importance of this new type of assurance, when its Special Committee on Assurance Services has analyzed and reported the trends that are shaping the emerging environment of audit/assurance services, and they have also designed new assurance offerings that are especially suitable to the new environment. While changes occur in the way CPAs and their audit clients use computers, CPAs must find guidance in existing audit literature on the role of computers of financial statements audit. Although, the objectives of control procedures are the same whether they are manuals or computerized, additionally, the Auditing Standards Board (ASB) has recognized the importance of IT on the audit process with its release of Statement on Auditing Standards (SAS) No. 94 in 2001, which is basically an extension of the previously issued SAS No. 55. While SAS No.55 on “ Consideration of Internal Control in Financial Statement Audit” was concerned with specifying a model for audit risk, and includes much of the authoritative literature on computers in auditing, the purpose of issuing SAS No. 94, was to include the effects of IT on professional standards process and thus, it deals with the IT impact on internal control, the auditor understanding of internal control, and his/her assessment of control risk.||
Contents: **Introduction** Help with Sarbanes-Oxley on TAPN TAPN's Sarbanes-Oxley Compliance Kit: Resource Library & Tools for Compliance
||
2. Risk Assessment- analysis of relevant risks to achievement of objectives.
Factors indicative of Incresed Financial Reporting Risk:
3. Control Activities
Control activities
Segregation of duties
Examples of Control Activities:
CUSTODY OF ASSETS
AUTHORIZATION FORMS
Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews
4. Information and Communication- identifies information in a form and time frame
5. Monitoring- assesses the quality of internal control performance
A system of integrated elements – people, structure, processes, and procedures – acting in concert to provide reasonable assurance that an organization achieves its business process goals. The design and operation of the internal control system is the responsibility of top management and therefore should:
Key Elements of a System of Internal Controls:
Control Goals- Business process objective that an internal control system is designed to achieve. Control goals are divided into operations and information processes.
- Control goals of operations process
- Ensure effectiveness of operations (Is the given operational process fulfilling the purpose for which it was intended?) - a measure of success in meeting one or more operations process goals, which reflect the criteria used to judge the effectiveness of various business processes. These goals are created by humans, therefore subjective, and no uniform set of process goals exist.
- Ensure efficient employment of resources (Does the cost outweigh the benefit?) - a measure of the productivity of the resources applied to achieve a set of goals. If the cost is more than the benefits obtained, the system might be considered inefficient.
- Ensure security of resources (Are both physical and non-physical resources secure?) - Protecting an organization's resources from loss, destruction, disclosure, copying, sale, or other misuse.
>- Control goals of information process
To achieve the goals of achieving update completeness and update accuracy, awareness of the following types of processing errors may assist in that process.
Programming errors- logical and technical errors that may exist in the program software
Operational errors- these types of errors can occur if input data is intended to be used for more than one application and we fail to use them where needed.
Control Plans - reflect information processing policies and procedures that assist in accomplishing control goals. Control plans can be classified in the following way:
- Control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control
plans.
- Pervasive control plans relate to a multitude of goals and processes. They provide a set of surrounding conditions in which the various business
processes operate. They are broad in scope and apply equally to all business processes, hence they prevade all systems.
- Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.
Another way to classify controls is in relation to the timing of their occurence:
- Preventive control plans stop problems from occurring (Ex: programmed verification of customer number);
- Detective control plans discover that problems have occurred (Ex: comparisons of input and output documents to ensure that no discrepancies exist between them)
- Corrective control plans** rectify problems that have occurred (Ex: if discrepancies are detected company should have procedures for reprocessing the incorrect items)
What did the US congress actually try to do with SOX?
According to this article writtin in 2004, http://www.workers.org/ww/2004/skilling0304.php, the author from this workers.org website, Heather Cottin, believes that SOX is merely a smokescreen created by congress in order to "rescue Wall Street" and to "assure investors that this could never happen again." There were many corporate scandals that arose just before the issuance of this new documentation that placed many expensive requirements upon corporate America. Enron, WorldCom, Adelphia, Tyco, Global Crossing, Quest, Xerox, MicroStrategy, ImClone, AOL-Time Warner, K-Mart, Citigroup and J. P. Morgan Chase were all part of the decline in investor confidence.According to the Washington Post, Nov. 8, 2002, a senator stated that the new law was tough and suggested that it would not be implemented. The author, in a less-than-friendly way, pointed out that 500 FBI agents were taken off corporate crime investigations to be placed on the "War on Terror." Cottin goes on to quote Deputy Attorney General Larry Thompson implying that there would not be massive "lynching" of corporate executives.
This article was just a pry into the minds of those who believe that we are supposed to be tricked into believing that we live in a just and moral society of business activities. There are those out there who carry on ethical business, but so often is the corporate culture the result of these scandals. It is the result of faulty compensation policies, poor corporate governance, a lack of power in the internal audit function that causes these catastrophic happenings. Sarbanes-Oxley Act of 2002 was an attempt to ensure that companies had these functions properly running. I believe that this has helped, but at this point, it seems that it might be a bit of an overkill. I would not suggest to remove the 404 work, but to require less frequent testing of those controls.
In response to the title of this article, the US congress wanted to give the American economy the comfort of knowing that somebody is on their side.